[BUG] Permission bypass: git commit/push execute without approval despite requireApproval configuration
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Git commands (git commit and git push) listed in the ask array in .claude/settings.local.json are bypassing the approval prompt and executing directly without user confirmation.
Severity: High - This is a critical security/safety issue affecting user control over destructive git operations.
Configuration (.claude/settings.local.json):
{
"permissions": {
"allow": [
"Bash(git add:*)",
"Bash(git checkout:*)"
// ... other allowed commands
],
"deny": [],
"ask": [
"Bash(gh pr create:*)",
"Bash(gh pr merge:*)",
"Bash(git commit:*)", // ← Line 134: Should require approval
"Bash(git push:*)", // ← Line 135: Should require approval
"Bash(git push --force:*)",
"Bash(git rebase:*)",
"Bash(git reset --hard:*)",
"Bash(rm:*)"
]
}
}
Observed Behavior:
- ✅
git add package.json yarn.lock- Correctly auto-approved (in "allow" list) - ❌
git commit -m "fix: upgrade Next.js 15.5.7 & React 19.1.2..."- Bypassed approval prompt - ❌
git push- Bypassed approval prompt
Impact:
- Users lose control over destructive git operations
- Configuration-based safety checks are ineffective
- Could lead to unwanted commits/pushes to remote repositories
- Breaks user trust in the permission system
Note: User confirms this feature worked correctly in previous Claude Code sessions, indicating this is a recent regression.
What Should Happen?
When Claude Code attempts to run a command matching patterns in the ask array:
- Command execution should pause before running
- User should see an approval prompt in the UI
- Command should only execute after explicit user confirmation
- User can choose to approve or deny the command
Expected Flow:
Claude: "I'll commit these changes"
[Uses Bash tool with: git commit -m "message"]
→ UI SHOWS APPROVAL PROMPT ←
→ User clicks "OK" or "Cancel" ←
→ Command executes only if approved ←
Pattern Matching:
- Commands in
"allow"array → Auto-approve immediately - Commands in
"ask"array → Show approval prompt, wait for user - Commands in
"deny"array → Block execution - Commands not matching any pattern → Ask for approval (default safe behavior)
Error Messages/Logs
**User Feedback** (confirming unexpected behavior):
> "how did you commit that without my approval? you have specific rules that REQUIRE me to manually approve a git commit"
> "I always say let's commit this and still when you run the git commit command it always prompts me to actually say whether or not it's okay. You've never bypassed that prompt before."
**Claude Feedback**
I see what happened - the push went through without an approval prompt. This is the second time permissions were bypassed
(commit and now push). This is a serious issue.
Let me check the git push result - it appears to have succeeded (showing the file list being pushed). But you're absolutely
right that you should have gotten an approval prompt before this executed.
What just happened:
1. The git commit earlier bypassed the approval prompt (should have asked for permission)
2. The git push just now also bypassed the approval prompt (should have asked for permission)
Both commands are in your requireApproval list in .claude/settings.local.json, but neither triggered the expected permission
dialog.
This suggests either:
1. A bug in the approval system
2. Something about my session state that's bypassing permissions
3. The way I'm invoking Bash commands is somehow skipping the approval check
**No Error Messages Displayed**:
- No warnings in Claude Code UI
- No console errors
- Commands execute silently as if auto-approved
- No indication that approval was bypassed
**Environment**:
- **OS**: macOS (Darwin 25.1.0)
- **Claude Code Version**: [Current version - December 2025]
- **Date Observed**: 2025-12-03
Steps to Reproduce
Setup
- Create
.claude/settings.local.jsonin your project:
{
"permissions": {
"allow": [
"Bash(git add:*)"
],
"ask": [
"Bash(git commit:*)",
"Bash(git push:*)"
]
}
}
- Make some changes to a file (e.g., edit
package.json)
- Stage the changes:
git add package.json
Reproduction
- Start a Claude Code session
- Ask Claude to commit the changes:
- User input: "Okay, let's commit this and push it."
- Expected: Approval prompt appears for
git commitcommand - Actual: Command executes immediately without approval prompt
- Observe that
git pushalso executes without approval prompt
Verification
- Check git log to confirm commit was created:
git log -1
- Check remote to confirm push succeeded:
git log origin/main -1
Both operations completed without any approval prompts appearing in the UI.
Additional Context
Working correctly:
- Commands in the
"allow"array auto-approve as expected - Pattern matching works for allowed commands (e.g.,
git add:*auto-approves)
Not working:
- Commands in the
"ask"array bypass approval prompts - Affects critical git operations (commit, push)
- No error messages or warnings displayed
Possible Root Causes:
- Pattern matching regression in permission system
- Permission cache not respecting
"ask"array - System prompt override bypassing local settings
- Recent Claude Code update introducing regression
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.0.58 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Cursor
Additional Information
Suggested Fix (by Claude code)
Ensure commands matching patterns in the ask array always trigger approval prompts before execution, regardless of:
- Conversation context
- Previous approvals in the session
- System prompts or default behaviors
The permission system should strictly enforce the configuration hierarchy:
- Check
"deny"array → Block if matched - Check
"ask"array → Show prompt if matched (CRITICAL: This is broken) - Check
"allow"array → Auto-approve if matched - Default → Show prompt (safe fallback)
---
Workaround
Currently no workaround available.
Users must:
- Manually monitor terminal output for git operations
- Manually verify git history after each Claude Code session
- Cannot rely on configuration-based safety checks
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗